![Page 1: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/1.jpg)
Privacy-preserving Information Sharing: Tools and Applications
(Volume 1)
Emiliano De CristofaroUniversity College London (UCL)
https://emilianodc.com
FOSAD 2016
![Page 2: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/2.jpg)
Prologue
Privacy-Enhancing Technologies (PETs):Increase privacy of users, groups, and/or organizations
PETs often respond to privacy threatsProtect personally identifiable informationSupport anonymous communicationsPrivacy-respecting data processing
Another angle: privacy as an enablerActively enabling scenarios otherwise impossible w/o clear privacy guarantees
2
![Page 3: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/3.jpg)
Sharing Information w/ Privacy
Needed when parties with limited mutual trust willing or required to share information
Only the required minimum amount of information should be disclosed in the processRelaxing the tension between the benefits of collaboration/compliance and associated risks
3
![Page 4: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/4.jpg)
Secure Computation (2PC)
Alice (a) Bob (b)
f(a,b)
f(a,b)f(a,b)
4
![Page 5: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/5.jpg)
Security in Secure Computation
Goldreich to the rescue!
Oded Goldreich. Foundations of cryptography: Basic Applications, Ch. 7.2. Cambridge Univ Press, 2004.
Computational indinguishability from an execution in the “ideal world”, involving a trusted third party (TTP)
5
![Page 6: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/6.jpg)
Adversaries
Outside adversaries?Not considered! Standard network security takes care of that
Honest but curiousHonest: follows protocol specifications, do not alter inputs Curious: attempt to infer other party’s input
MaliciousArbitrary deviations from the protocol
6
![Page 7: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/7.jpg)
Formalize/Prove Security (HbC)
The Ideal World/Real World IndistinguishabilityConsider an ideal implementation where TTP receives inputs of both parties and outputs the result of the defined functionIn the real implementation (without a TTP), each party does not learn more information than in the ideal oneà Computational indistinguishability of views
With malicious adversaries, it is a bit more complicated (“simulation”) > later
7
![Page 8: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/8.jpg)
How to Implement 2PC?
1. Garbled CircuitsSender prepares a “garbled” circuit and sends it to the receiver, who obliviously evaluates the circuit, learning the encodings corresponding to both his and the senders output
2. Special-Purpose ProtocolsImplement one specific function (and only that)Usually based on public-key crypto properties[Have you ever heard of homomorphic encryption?]
8
![Page 9: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/9.jpg)
Privacy-Preserving Information Sharing with 2PC?
Alice (a) Bob (b)
f(a,b)
f(a,b)f(a,b)
Map information sharing to f(·,·)?
Realize secure f(·,·) efficiently?
Quantify information disclosure from output of f(·,·)?9
![Page 10: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/10.jpg)
Private Set Intersection (PSI)
Server Client
S = {s1,, sw} C = {c1,,cv}
Private Set Intersection
S∩C10
![Page 11: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/11.jpg)
Private Set Intersection?
DHS (Terrorist Watch List) and Airline (Passenger List)Find out whether any suspect is on a given flight
IRS (Tax Evaders) and Swiss Bank (Customers)Discover if tax evaders have accounts at foreign banks
Hoag Hospital (Patients) and SSA (Social Security DB)Patients with fake Social Security Number
11
![Page 12: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/12.jpg)
Straightforward PSI
For each item s, the Server sends SHA-256(s)
For each item c, the Client computes SHA-256(c)Learn the intersection by matching SHA-256’s outputs
What’s the problem with this?
12
![Page 13: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/13.jpg)
Background: Pseudorandom Functions
A deterministic function:
Efficient to compute
Outputs of the function “look” random
x→ f → fk (x)↑
k
13
![Page 14: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/14.jpg)
Oblivious PRF
fk (x)OPRF
k x
fk (x)
14
![Page 15: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/15.jpg)
OPRF-based PSI
Server Client
fk (x)OPRF
k ciS = {s1,, sw} C = {c1,,cv}
fk (ci )
Ti = fk (ci )
Tj' = fk (sj ) Tj' = fk (sj )Unless sj is in the intersectionTj’ looks random to the client15
![Page 16: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/16.jpg)
OPRF from Blind-RSA Signatures
RSA Signatures:
PRF: fd (x) = H (sigd (x))
e ⋅d ≡1mod(p−1)(q−1)(N = p ⋅q, e), dSigd (x) = H (x)
dmodN,Ver(Sig(x), x) =1⇔ Sig(x)e = H (x)modN
Server (d) Client (x)
(H one way function)
a = H (x) ⋅ re r ∈ ZN
(= H (x)d red )
sigd (x) = b / rb = ad
fd (x) = H (sigd (x))16
![Page 17: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/17.jpg)
PSI “Flavors”
Honest-but-Curious (HbC) or Malicious Security?HbC adversaries follow protocol specifications but try to violate privacy of other parties (passive)Malicious adversaries can arbitrarily deviate (active)
Cardinality only? Data Transfer?
17
![Page 18: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/18.jpg)
PSI w/ Data Transfer (PSI-DT)Server Client
C = {c1,,cv}
PSI-DT
{ }),(),...,,( 11 ww datasdatasS =
S∩C = (sj,dataj ) ∃ci ∈C : ci = sj{ }18
![Page 19: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/19.jpg)
PSI w/ Data Transfer
Client Server
19
See: De Cristofaro, Lu, Tsudik, Efficient Techniques for Privacy-preserving Sharing of Sensitive Information, TRUST 2011
![Page 20: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/20.jpg)
How can we build PSI-DT?
20
![Page 21: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/21.jpg)
A closer look at PSIServer Client
S = {s1,, sw} C = {c1,,cv}
Private Set Intersection
S∩C
What if the client populates C with its best guesses for S?
Client needs to prove that inputs satisfy a policy or be authorized
Authorizations issued by appropriate authorityAuthorizations need to be verified implicitly
21
![Page 22: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/22.jpg)
Authorized Private Set Intersection (APSI)
Server Client
S = {s1,, sw} C = {(c1,auth(c1)),, (cv,auth(cv ))}
Authorized Private Set Intersection
S∩C =def
sj ∈ S ∃ci ∈C : ci = sj ∧auth(ci ) is valid{ }Court
22
![Page 23: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/23.jpg)
OPRF w/ Implicit Signature Verification
Server Client
fk (x)OPRF with ISV
k sig(x)
fk (x) if Ver(sig(x), x) =1
$ otherwise23
![Page 24: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/24.jpg)
A simple OPRF-like with ISV
Court issues authorizations:
OPRF:
fk (x) = F(H (x)2kmodN )
Sig(x) = H (x)dmodN
Server (k) Client (H(x)d)
a = H (x)dgr r ∈ ZN
(b = H (x)2edk g2rek )
H (x)2k = b/g2erkb = a2⋅e⋅k;gk
fk (x) = F(H (x)2k )(Implicit Verification)
24
![Page 25: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/25.jpg)
OPRF with ISV – Malicious Security
OPRF: fk (x) = F(H (x)2k )
Server (k) Client (H(x)d)
a = H (x)dgr r ∈ ZN
(b = H (x)2edk g2rek )H (x)2k = b/g2erkb = a2ek
fk (x) = F(H (x)2k )
α = H (x)(g')r
π = ZKPK{r : a2e /α 2 = (ge /g ')2r}
gk π ' = ZKPK{k :b = a2ek}
25
![Page 26: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/26.jpg)
Authorized Private Set Intersection (APSI)
Server Client
S = {s1,, sw} C = {(c1,auth(c1)),, (cv,auth(cv ))}
Authorized Private Set Intersection
S∩C =def
sj ∈ S ∃ci ∈C : ci = sj ∧auth(ci ) is valid{ }Court
26
![Page 27: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/27.jpg)
APSI: PreliminariesSetup
Executed by the Court, on input sec. par. λ(n,e,d) <- RSA.KeyGen(1λ) on safe primesPick g, g’ generators of QRn
Select H1 : {0,1}*--> Zn (full-domain hash)Select H2 : {0,1}*--> {0,1}λ
Public parametersn, e, g, g’, H1(), H2()
AuthorizeOn item ci , CA releases σi = H(ci )d mod n
NotationClient has v items, (c1, …, cv) and ci denotes i-th generic elementServer has w items, (s1, …, sw) and sj denotes j-th generic elementhsj=H(sj ) hci=H(ci ) σi = (hci)
d
27
![Page 28: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/28.jpg)
APSI with linear complexity
{Mi ,Ni}
bi,b’i←{0,1}
SERVER (s1, …, sw)
CLIENT((c1,σ1),…,(cv,σv))
computation mod n
Rs ← Ζ N/2
Ks:j = (hsj)2Rs
Z, { M’i}, {Ts:j}
Rc:i ← Ζ N/2
Common Input: n, e, g, g’, H1(), H2()
KC:i = M’i · Z-Rc:i
Tc:i = H2(Kc:i , hci, ci)
Mi = (-1)bi·σi·gRc:i
Ni = (-1)b’i·hci·g’Rc:iM’i = (Mi)2eRs
Ts:j = H2(Ks:j , hsj , sj)
Z = g2eRs
ZKPc = ZK { Rc:i | Mi2e/Ni
2) = (ge/g’)2Rc:i}
ZKPs = ZK { Rs | Z = (g)2eRs, M’i=(Mi)2eRs }Client gets intersection C∩S:
ci in C∩S if and only if
Tc:i in {Tc:1,…,Tc:v}∩{Ts:1,…,Ts:w}
28
If hsj = (σi)e then KS:j = (hsj)2Rs = Kc:i :Kc:i = M’i · Z-Rc:i = Mi
2eRs·g-Rc:i2eRs == Mi
2eRs·g-Rc:i2eRs = σi2eRs·g2eRsRc:i·g-2eRsRc:i =
= (hci)2Rs = (hsj)2Rs = KS:j
![Page 29: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/29.jpg)
Complexity
Input size:Client’s set contains v itemsServer’s set contains w items
Computational Complexity:Client computes O(v) modular exponentiationsServer computes O(w+v) modular exponentiationsExponentiations: 1024-bit mod 1024-bit
< 0.1ms on PC~1ms on a smartphone
Communication Complexity:O(w+v)
29
![Page 30: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/30.jpg)
Proofs in Malicious Model
Secure Computation of Authorized Set IntersectionUse the Real World/Ideal World paradigmFrom a malicious client C*, construct an ideal world simulator SIMC
SIMC interacts with C* and extracts C* inputsSIMC interacts with the ideal-world server through a TTP to get the intersectionSIMC plays (with C*) the role of the server on input the intersectionC*’s views when interacting with the simulator or in the real-world interaction are indistinguishable (show a reduction)
From a malicious server S*, construct an ideal world simulator SIMSSimilar idea but easier since the server has no output
30
![Page 31: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/31.jpg)
w
Set Size in PSI
Server Client
S = {s1,, sw} C = {c1,,cv}
Private Set Intersection
S∩C
v
31
![Page 32: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/32.jpg)
Why size matters?
DHS can’t disclose the size of the TWLTWL is dynamic: revealing its size leaks sensitive information
Fluctuations in set size may be even more sensitive
Ideally, the server’s workload should be independent by client’s input size
32
![Page 33: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/33.jpg)
Feasibility of Size-Hiding
Run PSI with Random Padding?Client chaffs up its set up to a fixed sizeUpper bound would always be leakedIf client set is dynamic, the fixed size must reflect maximum possible set size: waste of computation and communication
Secure Two-Party Computation?Input sizes are reciprocally knownSome feasibility results Lindell &Orlandi, Chase&Visconti, but require massive machinery (FHE, PCP) 33
![Page 34: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/34.jpg)
SHI-PSI: The Building Blocks
RSA accumulator [Baric-Pfitzmann’97]
Unpredictable functionUnpredictable if p,q are not knownUnder the RSA assumption on safe moduliCannot invert in the exponent
gxii∏ modN
fp,q (x, y) = x 1/y( )modφ (N ) modN
34
![Page 35: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/35.jpg)
SHI-PSI Intuition
The server selects N=pq
The client: (doesn’t know p,q)Compute a global witness for its set, An RSA accumulator on its (hashed) itemsHides client items (size too)
The server: (knows p,q)ComputeApply a one-way function (a cryptographic hash)The hash of an unpredictable function is a PRF (in ROM)
X
fp,q (X, sj ) = X1/H (sj )
35
![Page 36: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/36.jpg)
SHI-PSI: The ProtocolClient
Input:Server
Input: p,q
Common Input: N=pq , g , H( ) , F( )
PCHi =def
hcll≠i∏ ∀i( )PCH =
defhcii=1
v∏
RS ∈r 0,…, p 'q '−1{ }
∀j :Ks: j = XRS ⋅ 1/hsj( )
∀j :Ts: j = F Ks: j( )gRS , Ts:1,…,Ts:w{ }∀i :Kc:i = gRS( )
RCPCHi
∀i :Tc:i = F Kc:i( )
OUTPUT:Tc:1,…,Tc:v{ }∩ Ts:1,…,Ts:w{ }
X = gPCH( )RcmodN
C = c1,…,ci,…cv{ } S = s1,…, sj,…, sw{ }
Correctness:∀ci ∈ S∩C, ∃ j s. t. ci = sj ⇒ hci = hsjKc:i = gRSRC ⋅PCHi = XRS 1/hsj( ) = Ks: j
⇒ Tc:i = Ts: j
RC ∈r 1,…,N 2{ }
(modN )
(modN )
36
![Page 37: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/37.jpg)
SHI-PSI: ComplexityClientInput:
ServerInput: p,q
∀i :PCHi = hcll≠i∏PCH = hcii=1
v∏
RS ∈r 0,…, p 'q '−1{ }
∀j :Ks: j = XRS ⋅ 1/hsj( )
∀j :Ts: j = F Ks: j( )
gRS , Ts:1,…,Ts:w{ }∀i :Kc:i = gRS( )
RCPCHi
∀i :Tc:i = F Kc:i( )
X = gPCH( )RcmodN
C = c1,…,ci,…cv{ } S = s1,…, sj,…, sw{ }
RC ∈r 1,…,N 2{ }
λ=length of H() outputsv=|C| w=|S|
v (λ)-bit exps
w |N|-bit exps
v*(v-1)(λ)-bit exps
O(vlog(v))λ-bit exps
Tree-based Optimization
1 |N|-bit exps
37
![Page 38: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/38.jpg)
SHI-PSI: Security
AssumptionsRandom Oracle Model (ROM)Honest-but-Curious (HbC) adversariesRSA assumption on safe moduli
Client Privacy: IndistinguishabilityFor every PPT S* that plays the role of the server, for every input set S, and for any client input set (C(0), C(1)), two views of S* corresponding to client’s inputs: C(0) and C(1) are computationally indistinguishable. (Not even if |C(0)|≠|C(1)|).
Server Privacy: Comparison to Ideal ModelLet ViewClient(C,S), be a random variable representing Client’s view during execution of SHI-PSI with inputs (C,S). There exists a PPT algorithm C* s.t.:
C*(C,S∩C){ }(C,S ) ≡ ViewClient (C,S){ }(C,S ) 38
![Page 39: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/39.jpg)
Special-purpose PSI
[DT10]: scales efficiently to very large setsFirst protocol with linear complexities and fast crypto
[DKT10]: extends to arbitrarily malicious adversariesWorks also for Authorized Private Set Intersection
[DJLLT11]: PSI-based database queryingWon IARPA APP challenge, basis for IARPA SPAR
[DT12]: optimized toolkit for PSIPrivately intersect sets – 2,000 items/sec
[ADT11]: size-hiding PSI39
![Page 40: Privacy-preserving Information Sharing: Tools and ... · Formalize/Prove Security (HbC) The Ideal World/Real World Indistinguishability Consider an ideal implementation where TTP](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ecb84b93cfc4a517c745bee/html5/thumbnails/40.jpg)
Other Building Blocks
[DGT12]: Private Set Intersection Cardinality-only
[BDG12]: Private Sample Set Similarity
[DFT13]: Private and Size-Hiding Substring/Pattern Matching
[DJL11]: Private Database Querying
40